Hi,
I am trying to make the builtin syslog audisp plugin to use a custom
facility/priority pair for the syslog messages exported to the syslog
daemon. For that I am using the patch and the conf from below.
The problem is that the compile and the start process don't give any
errors when I am using the below customization but the syslog daemon
receive the messages from the audisp with the default facility
(LOG_USER). So I need a littel help here.
I would appreciate any help.
Thanks,
--
Cosmih
============================================================
/etc/audisp/plugins.d/syslog.conf
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_ALERT LOG_KERN
format = string
============================================================
============================================================
diff -ur audit-2.0.4/audisp/audispd-builtins.c
audit-2.0.4-new/audisp/audispd-builtins.c
--- audit-2.0.4/audisp/audispd-builtins.c 2009-12-07 23:16:41.000000000 +0200
+++ audit-2.0.4-new/audisp/audispd-builtins.c 2010-05-25
16:56:18.000000000 +0300
@@ -37,7 +37,7 @@
// Local data
static volatile int sock = -1, conn = -1;
-static int syslog_started = 0, priority;
+static int syslog_started = 0, priority, facility;
static char *path = NULL;
// Local prototypes
@@ -278,8 +278,25 @@
syslog_started = 0;
return;
}
- } else
+ } else {
priority = LOG_INFO;
+ }
+ if (conf->args[2]) {
+ if (strcasecmp(conf->args[2], "LOG_USER") == 0)
+ facility = LOG_USER
+ else if (strcasecmp(conf->args[2], "LOG_DAEMON") == 0)
+ facility = LOG_DAEMON;
+ else if (strcasecmp(conf->args[2], "LOG_KERN") == 0)
+ facility = LOG_KERN;
+ else {
+ syslog(LOG_ERR, "Unknown log priority %s",
+ conf->args[2]);
+ syslog_started = 0;
+ return;
+ }
+ else {
+ facility = LOG_KERN;
+ }
syslog_started = 1;
syslog(LOG_INFO, "syslog plugin initialized");
}
@@ -287,7 +304,7 @@
void send_syslog(const char *s)
{
if (syslog_started)
- syslog(priority, "%s", s);
+ syslog(facility|priority, "%s", s);
}
void destroy_syslog(void)
============================================================